), but we don't
run anything through SA larger than 256 KB (as is usually recommended).
I've blacklisted the IP, but it looks like a throwaway.
So I'm wondering - any ideas on dealing with giant-attachment spam?
I don't suppose there are enough efficiency gains in 3.0 to safel
r site" messages and
the author's URL being the spamvertized site.)
--
Kelson Vibber
SpeedGate Communications
Jeff Chan wrote:
Are they advertising legitimate sites or bad guy sites?
Gambling sites, "pillz" sites, etc. The usual.
More insidious are the ones that link to legit blogs that have already
been spammed, as described here:
http://photomatt.net/2004/08/01/weeds-in-the-garden/
--
Kel
is
still unencumbered, and thus usable in SA 3.0?
--
Kelson Vibber
SpeedGate Communications
ld be:
h (show headers)
> (step into attachment structure)
select the attachment
> (step into attachment)
--
Kelson Vibber
SpeedGate Communications
more compelling.
--
Kelson Vibber
SpeedGate Communications
encapsulated one. (Keep in mind that you'll
want to either disable SA calls from MIMEDefang or disable
spamass-milter so that you don't end up calling SA twice.) See
www.mimedefang.org
* Procmail ought to make this possible if you're using Sendmail's
vacation program. Other methods may vary.
--
Kelson Vibber
SpeedGate Communications
are valid sources for that sender domain.
Bad, *bad* idea. You're inviting DOSes. Given that the spammer has
control of his own SPF record, he can list anything he wants there --
say, 3 of his own servers followed by *Yahoo's* mail servers. Bang,
he's tricked you into blacklisting
ng
language-specific rulesets? Or perhaps to just run all ruleseets,
regardless of language?
--
Kelson Vibber
SpeedGate Communications
his, since if people use it as designed, it
won't gain them anything. Although I can see them just putting up
"v=spf1 +all" at least short-term so that they can use their usual
zombie networks, though at least they'd have to use their own addresses
and deal with the bounces themselves.
--
Kelson Vibber
SpeedGate Communications
uld be treated as neutral). Alternatively, you can use
SMTP-AUTH to send through the mydomain.com mail server.
--
Kelson Vibber
SpeedGate Communications
s"
Someone made a suggestion to blacklist based on SPF results. Problems
were pointed out. The suggestion was withdrawn. The thread continues
anyway.
Such is the Way of the Internet.
--
Kelson Vibber
SpeedGate Communications
pass on through, otherwise, you may be bumping up
scores to give yourself false positives.
I'm inclined to agree here. On the other hand, it may be worth using an
SPF pass as a condition in a metarule that looks at the sending address.
--
Kelson Vibber
SpeedGate Communications
Surely you've seen this: "Puppy shoots Florida man"
http://www.semissourian.com/story.html$rec=145935
(Deliberately top posting to keep the subject tag accurate. And hey, if
it results in hot girlz, who am I to complain?)
scohen wrote:
I thought it was Guns kill people, people kill puppies and OM
for exactly this purpose:
http://bignosebird.com/notebook/rumplekill.shtml
The script as written just blackholes the IP address, but it's easy
enough to change what it runs when it catches one.
We used to get 10+ each day, but in the last few months it's gone down
to 2 or 3.
--
Kelson Vibber
SpeedGate Communications
The value is
the max number of allowed invalid recipients after which sendmail starts
delaying responses to sender. (Basically after each RCPT it sleeps
before sending "user unknown.")
Unfortunately the delay is (was) hardcoded to 1 second, but it'll at
least slow them down
o this with postmaster or
abuse, or you'll probably end up listed on RFC-ignorant.)
It's up to you to decide whether to let it train on actual viruses or not.
--
Kelson Vibber
SpeedGate Communications
David Brodbeck wrote:
Kelson wrote:
Mail sent from <> to a few addresses that we never use for outgoing
mail is rejected with an "Invalid bounce" explanation. (Don't do this
with postmaster or abuse, or you'll probably end up listed on
RFC-ignorant.)
AFAIK you won&#
le for RedHat.
Well, if you want to get technical, Fedora Core would be closer to
Debian Testing (assuming I understand the stable/testing/unstable
relationship correctly). The equivalent to Debian unstable would be
Rawhide (aka the Fedora Core development tree).
--
Kelson Vibber
SpeedGate Communications
Dan Mahoney, System Admin wrote:
Hey guys, as a quick survey, if you're blocking ips at the MTA level,
which are you using?
Just one: Spamhaus SBL+XBL
--
Kelson Vibber
SpeedGate Communications
#x27;t cause SpamAssassin
any problems.) And while the servers are still being actively
maintained, no one has done any work on the client in two years.
--
Kelson Vibber
SpeedGate Communications
ever/list for
more detail" and instead presenting a "friendlier" message like:
"One or more recipients failed."
It's a troubleshooter's nightmare, especially since half the time the
end-user wouldn't have needed to call in if he'd been able to see the
real message.
--
Kelson Vibber
SpeedGate Communications
lar things-that-call-SA.)
Does anyone know of any problems running SA 3.0 from MD 2.37?
Support for SA 3.0 was added in MD 2.42, so you'll need to upgrade at
least to that version (though of course upgrading to the latest and
greatest is recommended!)
--
Kelson Vibber
SpeedGate Communications
e" and
diluted any meaning that expression had.
Perhaps we need a new one.. NBSOSS.. No BS Open Source Software... :)
How about ROSS: Real Open Source Software?
--
Kelson Vibber
SpeedGate Communications
Kelson wrote:
Matt Kettler wrote:
Perhaps we need a new one.. NBSOSS.. No BS Open Source Software... :)
How about ROSS: Real Open Source Software?
Sorry to reply to my own post, but I came up with a few funnier ones:
TOSS - True Open Source Software.
FLOSS - Freely Licenced Open Source Software
U
them out, and I suspect that's what
you have installed.
--
Kelson Vibber
SpeedGate Communications
d.com/citizen/spam/alicia/alicia.html
Someone noticed the same model was showing up in a lot of different
spam, so he strung the pictures together and made up a story around them.
--
Kelson Vibber
SpeedGate Communications
also that FAKE_HELO_SHAW_CA doesn't seem to be in SA
3.0 except as an orphaned description in the dutch ruleset.
--
Kelson Vibber
SpeedGate Communications
rbl.org.
4. You read the message, wonder why the heck it triggered a SURBL check,
and look it up. Since it's already been removed, you don't find it.
--
Kelson Vibber
SpeedGate Communications
eferred DNSBL" thread:
http://thread.gmane.org/gmane.mail.spam.spamassassin.general/56704
--
Kelson Vibber
SpeedGate Communications
make the SPF test fail.
Only if it actually checks SPF. And even that won't affect the list of
trusted hosts. Incidentally, 80.110.248.122 *is* listed as a trusted
relay according to your debug info, well before it reaches the SPF plugin:
debug: received-header: relay 80.110.248.122 trusted?
address (@speed.net), it
wouldn't pass (mail.apache.org is not likely to be listed in the average
list member's SPF record)
--
Kelson Vibber
SpeedGate Communications
n_bounce(), which despite its name will issue an SMTP reject.
Even better would be to call action_quarantine_entire_message first, so
that you still have a record in the event of a false positive.
--
Kelson Vibber
SpeedGate Communications
so it was just a
matter of uninstalling the built-from-source copies and making sure the
right version of Razor was installed.
--
Kelson Vibber
SpeedGate Communications
rmine threading.
Those headers are created when you reply to a message, and remain after
you delete the subject and text.
--
Kelson Vibber
SpeedGate Communications
mpared the two, MIME::Tools
(which MD uses) wouldn't. (I think it was BinHex, but it might have
been something else.) With the amount of invalid mime out there (i.e.
there's no defined way to extract it, so each parser will attempt error
recovery differently), it's worth the o
t was added two
months ago in version 5.412. It looks like it uses a perl module rather
than the binhex binary.
(Speaking of the binhex binary, for anyone reading this, Red Hat/Fedora
includes it in the macutils package.)
--
Kelson Vibber
SpeedGate Communications
actually hit the web server
unless DNS says there's an update, so there's no problem.
--
Kelson Vibber
SpeedGate Communications
only
work if network tests are enabled.
--
Kelson Vibber
SpeedGate Communications
SA is adding the newline, it's either due to a configuration option
(check your local.cf) or due to a bug.
--
Kelson Vibber
SpeedGate Communications
for tackling phishing, I recommend installing the SARE_SPOOF ruleset.
It does a good job of catching a lot of these.
--
Kelson Vibber
SpeedGate Communications
nal features and an
administration interface. I haven't tried it myself, but I've heard
good things about it.
MIMEDefang: http://www.mimedefang.org/
Can-It: http://www.roaringpenguin.com/
--
Kelson Vibber
SpeedGate Communications
with these rules?
This morning, I saw rules_du_jour download old versions of 5 or 6
rulesets, fail on --lint, and roll back to the "previous" (but more
current) versions.
--
Kelson Vibber
SpeedGate Communications
lscanner, mimedefang, etc.)
--
Kelson Vibber
SpeedGate Communications
e DNS change propagates, it should be fine.
--
Kelson Vibber
SpeedGate Communications
here in between.
--
Kelson Vibber
SpeedGate Communications
control via configuration of the mimedefang filter.
And just to stave off the potential "don't bounce spam!" arguments, in
MIMEDefang-speak, "bounce" means "reject during the SMTP transaction,"
not "accept, then generate a bounce notice and send it to the supposed
sender."
--
Kelson Vibber
SpeedGate Communications
o make sure the return address exists.
** I've only done spot checks, but every time I have, they've fit this
pattern.
--
Kelson Vibber
SpeedGate Communications
never
reach your mailbox and popper should never see them.
Unfortunately all the hits I see end with "User unknown," so I don't
have any samples of what Verizon does when the recipient actually exists.
--
Kelson Vibber
SpeedGate Communications
bark patterns, and a fence
around the base.
--
Kelson Vibber
SpeedGate Communications
re whether you fill out any forms, since once you're infected with
spyware and downloaders they can grab whatever they want.
I don't think I still have it, but about a month ago one of these came
in to MAILER-DAEMON. Something about the idea that MAILER_DAEMON had an
Aunt Edna ju
to members.
6. Spammer signs up for Yahoo account, signs up for list, posts spam.
7. Same as step 4.
8. Repeat steps 6-7 until list owner decides to enable some degree of
moderation.
--
Kelson Vibber
SpeedGate Communications
y may have silently discarded my questions.
Does anyone here know more about them, or have any suggestions on what
to do next?
--
Kelson Vibber
SpeedGate Communications
Matt Kettler wrote:
At 07:01 PM 1/28/2005, Kelson wrote:
Meanwhile, we've been getting complaints about spam which, on
analysis, clearly contains forged Received headers. They have our IP
but the wrong HELO, and no or wrong reverse DNS...and of course they
don't show up in our lo
jdow wrote:
From: "Kelson Vibber" <[EMAIL PROTECTED]>
On Friday 28 January 2005 6:05 pm, jdow wrote:
I would ask the tweebs who black listed you precisely how they track it
to your address. I'd love to hear their reasoning.
Oh, I did! First they told me they couldn't
pper as everyone knows the
location of /usr/sbin/sendmail already.
You should be able to rename the sendmail binary, then place your
wrapper script at /usr/sbin/sendmail. That way anyone who tries to call
it at the usual place gets the wrapper.
--
Kelson Vibber
SpeedGate Communications
but I know MIMEDefang has some built-in
RBL functions, and people have posted several greylist implementations
that work within a MIMEDefang filter. With that setup, you could have
MD do the RBL lookup and conditionally run the greylist code.
--
Kelson Vibber
SpeedGate Communications
Unless the bug is still in FC2 or FC3, the place to send
the bug report would be the Fedora Legacy project, which is currently
handling fixes for Red Hat 7.3 and 9, and Fedora Core 1. (Fedora Legacy
is focused mainly on security fixes, though.)
http://www.fedoralegacy.org/
--
Kelson V
d upgraded MD, and MD saw there was
no sa-mimedefang.cf, so it created it with the defaults -- and the
defaults disable DNSBLs.
--
Kelson Vibber
SpeedGate Communications
day that people stop bouncing mail
sent using forged addresses. I checked the number of "User unknown"
hits we handle per day, and it's more than 10 times the number of
messages that make it through to an actual mailbox.)
--
Kelson Vibber
SpeedGate Communications
ably never come from any
other servers than these, but we're not absolutely certain," not "mail
will only ever come from these servers."
--
Kelson Vibber
SpeedGate Communications
the feature is to be implemented, because that
seems to me the most reasonable way to do it.)
--
Kelson Vibber
SpeedGate Communications
,
but isn't labeled as HTML.
--
Kelson Vibber
SpeedGate Communications
ect it, and it
stops. But if you're relaying to someone, and *they* reject it, now you
have to decide whether to generate a DSN or not. We've actually set up
a separate queue for bounces that aren't delivered immediately, so that
it won't bog down normal mail.
--
Kelson Vibber
SpeedGate Communications
oogle
for it. It was very easy to set up. I still use it.
I believe the package is just called caching-nameserver. With FC you
should be able to just do "yum install caching-nameserver" and it'll
pull in bind and any other dependencies.
--
Kelson Vibber
SpeedGate Communications
ese servers will stay
connected just to deliver an invalid bounce. And these aren't the ones
I really *wanted* to tarpit anyway (though they're annoying enough in
their own right).
--
Kelson Vibber
SpeedGate Communications
sion, with a legit
sender. If for some reason a site tries to open too many simultaneous
connections, they'll get sucked into the tarpit instead of waiting and
trying again.
--
Kelson Vibber
SpeedGate Communications
al service at a nominal cost. If you are interested,
please send me email at with your thoughts
on the design and pricing." (His email address is in the archived copy.)
--
Kelson Vibber
SpeedGate Communications
e *anti-forgery* technologies, not
anti-spam technologies. (Matt Kettler made a couple of good posts on
this subject yesterday in the "I like this one Particularly the BS
from Yahoo." thread.) It's just that detecting forgeries is also
useful in detecting spam -- and figuring out
find the new ones, but it shouldn't mess up the training.
It's just efficiency. If your system has the resources to handle it,
don't worry.
--
Kelson Vibber
SpeedGate Communications
-unrelated mailing list!).
That reminds me of a customer we had who asked us to disable all spam
filtering on his account. A few months later he cancelled because he
was "receiving too much spam."
A definite *headdesk* moment.
--
Kelson Vibber
SpeedGate Communications
he Bayes rules a bit, so that, RCVD_NUMERIC_HELO, and
RCVD_BY_IP landed it a score of 5.3.
Depending on how consistent the rest of them are, it might be possible
to track some of the phrases.
--
Kelson Vibber
SpeedGate Communications
ual domain
name. That name is currently in ws.surbl.org, sc.surbl.org, and
ob.surbl.org, but none of the rules fire on this message.
--
Kelson Vibber
SpeedGate Communications
Kelson wrote:
This is the first time I've noticed the protocol broken up by line breaks!
Forgot to mention: SA 3.0.2.
--
Kelson Vibber
SpeedGate Communications
rule I've tested which seems to hit the most spam is
...
Thanks. I'll try boths sets of rules and see what works best here.
--
Kelson Vibber
SpeedGate Communications
t separate messages with the same content (but different
message IDs), SA will learn from both and the two sets of data will
balance each other out.
--
Kelson Vibber
SpeedGate Communications
it's supposed to, but it's still a false negative. An
expected one, but a misclassification nonetheless.
Robert: just running sa-learn --spam will unlearn the message, then
re-learn it as spam.
--
Kelson Vibber
SpeedGate Communications
BL_MULTI, which adds an extra
3 points if 3 or more SURBLs fire. So technically this should only have
been 60.173.
--
Kelson Vibber
SpeedGate Communications
ry
reason to assume something different based on the name.
--
Kelson Vibber
SpeedGate Communications
t I misread
that as Historical Score *Avenger*
--
Kelson Vibber
SpeedGate Communications
Matt Kettler wrote:
At 05:00 PM 5/4/2005, jdow wrote:
Accurate or not AWBL for Automatic White/Black List might be obscure
enough to inspire a minimal level of reading.
Along those lines, we could name it RTFM :)
The Real-Time "From:" Monitor?
--
Kelson Vibber
SpeedGate Communications
for /href=h$/ or /^ttp/ but not
/href=h\nttp/
--
Kelson Vibber
SpeedGate Communications
abling ALL_TRUSTED except as a last resort.
--
Kelson Vibber
SpeedGate Communications
path, and
his server setup does appear to use a local IP, which means that there's
a good chance that, *in his case*, the actual problem is not with the
ALL_TRUSTED *rule* but with the *actual trust path*. In that case,
disabling ALL_TRUSTED will not solve the real problem.
--
Kel
p the address* and
use another one. Chances are you have plenty of other sources for
spam.
--
Kelson Vibber
SpeedGate Communications
on his server forward
to an AOL address. As described later in the message.
--
Kelson Vibber
SpeedGate Communications
the easier to take. ;)
That probably makes SA worth it in employee mental health alone... :-D
--
Kelson Vibber
SpeedGate Communications
ng the same
procedure as step 8 in
http://wiki.apache.org/spamassassin/InstallingOnWindows
--
Kelson Vibber
SpeedGate Communications
demonstration of the fact that (at least some) spammers really don't pay
any attention to what's on their lists.
--
Kelson Vibber
SpeedGate Communications
using an older version of SA?
If you don't want to upgrade right now, just disable RCVD_IN_RFC_IPWHOIS
in local.cf:
score RCVD_IN_RFC_IPWHOIS 0
--
Kelson Vibber
SpeedGate Communications
for a while, because
spammers would put in a text/plain part but leave it empty.)
--
Kelson Vibber
SpeedGate Communications
Loren Wilton wrote:
I have to admit though that this is the most amusing hostname that "Jill"
has come up with (that I've seen) so far. :-)
I recently received a porn spam with a wildcard domain name. One of the
links was to http://horrible.b_jobs.com
--
Kelson V
EALLY learend at shocol...
--
Kelson Vibber
SpeedGate Communications
essage to those trends. It needs to be able to
compare junk mail to legit mail in order to determine that, for example,
"pills" is more likely to show up in spam, "the" is neutral, and "ninja"
is more likely to show up in personal correspondence.
--
Kelson Vibber
SpeedGate Communications
link to http://www.example.com/ in this
message, a SURBL will check example.com, but a standard RBL will check
the IP address of mail.apache.org (since that's the server that will
probably send you this message).
--
Kelson Vibber
SpeedGate Communications
the same template). The key
point being that Razor generates signatures from all MIME parts, images
included.
Depending on the default config, it may already take care of these.
--
Kelson Vibber
SpeedGate Communications
clients (KMail,
for instance) have the ability to filter mail through SpamAssassin as
they download it via POP.
--
Kelson Vibber
SpeedGate Communications
thout hesitation!
As for the IP, treat it the same way you'd treat the IP in
non-SPF-compliant spam. They can authorize any IP they want, whether
it's (legitimately) under their control or not.
--
Kelson Vibber
SpeedGate Communications
ikely -- that expiration date is still 4 weeks in the future, so it
shouldn't be an issue.
--
Kelson Vibber
SpeedGate Communications
yone could do things like that.
*sigh*
--
Kelson Vibber
SpeedGate Communications
1 - 100 of 377 matches
Mail list logo
